Information on malware known as Ransomware

This article provides information on malware threats known as 'ransomware' and answers some of the common questions.

Applies to the following Sophos product(s) and version(s)

Not product specific

Operating System(s) Windows only

What is Ransomware?

Ransomware is malicious software that denies you access to your computer or files until you pay a ransom. There are two types of ransomware that SophosLabs is commonly seeing:

Encrypts personal files/folders (e.g., the contents of your My Documents folder - documents, spreadsheets, pictures, videos). Files are deleted once they are encrypted and generally there is a text file in the same folder as the now-inaccessible files with instructions for payment. You may see a lock screen but not all variants show one. Instead you may only notice a problem when you attempt to open your files. This type is called 'file encryptor' ransomware. For example, CryptoLocker is a file encryptor that Sophos Anti-Virus detects as Troj/Ransom-ACP.

'Locks' the screen (presents a full screen image that blocks all other windows) and demands payment. No personal files are encrypted. Example screenshots of with type running on a computer are shown below (click for larger view).. This type is called 'WinLocker' ransomware.

There is also 'MBR ransomware'. The Master Boot Record (MBR) is a section of the computer's hard drive that allows the operating system to boot up. MBR ransomware changes the computer's MBR so the normal boot process is interrupted and a ransom demand is displayed on screen instead.

Watch CryptoLocker in action

CryptoLocker is a newer type of ransomware that encrypts personal files and then demands a payment of 300 USD to release them. Watch the video below to see it in action.

Which operating systems are susceptible to this type of attack?

As with a lot of malware the majority of ransomware is targeted at the Microsoft Windows operating system.

Does Sophos Endpoint Security and Control protect my computer from ransomware?

Yes, but the malware writers are constantly updating and releasing new variants and families. You must stay fully up to date with the latest Sophos releases and ensure all your computers adhere to our best practice advice on Sophos Anti-Virus settings.

avoid opening any attachment emailed to you that you were not expecting.

watch out for emails with attachments suggesting you must reply quickly or 'act fast' and hence feel compelled to open the attachment quickly - without considering the source.

check your Sophos shield in the system tray and make sure it does not have a red cross or warning triangle.

Good

Bad

Move your mouse point over the shield and ensure 'On-access scanning: disabled' is not shown.

Good

Bad

Double-click the Sophos shield to open the program. On the left hand side, under the 'Status' panel make sure the 'Last updated' value is recent... ...the date shown when hovering the mouse point over the shield does not indicate a recent update in protection, but only that it checked with the update source and is in sync.

contact your IT department if in any doubt.

Botnet

Your computer was already infected with malware, but not ransomware that encrypted files and you may not even be aware malware was running. Included in the existing botnet malware was a general purpose "upgrade" command that allows the crooks to update, replace, or add to the malware already on your PC.

Ensure your (all) computers are up to date and run a full scan locally or from the console.

Operating system or software exploit

The malware exploits a security vulnerability in the computer's operating system or an application that is installed on the computer.

Ensure your (all) computers are up to date with Microsoft patches. Performing a 'Windows Update' locally on a regular basis is important. For IT admins we offer Sophos Patch which allows you to scan for missing OS and software patches. See article 114162 for more information.

What's the difference between ransomware and fake-antivirus?

WinLockers, file encryptors and malware that affects the computer's MBR with monetary demands (all described at the beginning of this article) are ransomware. Fake-antivirus pretends to find malicious files on your computer and for a fee says it will remove them.

Both try to extort money, but in different ways.

Can I do anything more to protect my computer from ransomware?

Ensure that your computer(s) are running the latest version of our software and up to date with identity files. Also make sure our software is configured for best protection.

If you are a network administrator you should educate your users on staying safe while online and consider a multi-tiered security solution such as our Unified Threat Management (UTM).

What names are reported when ransomware is detected?

There are also more generic detections such as Mal/Encpk-*, which include both ransomware and other malware that shares common properties.

Identifying malicious files and submitting samples

If a malicious file is not being detected or cleanup of the infection is incomplete you need to identify the malicious files and submit samples to SophosLabs for further analysis.

If you cannot identify anything malicious and you have access to the computer (local or remote) download the ZIP version of the Sophos Diagnostic Utility and run the command line version with the '-malware' switch (see article 116537 for details on the malware switch) and submit the output log file set with a support query to Technical Support fully explaining the situation and what you have observed so far.

Once the files have been analyzed by SophosLabs, an update has released and your computer has received that update you can run a full scan of the computer (either locally or from the console) to fully remove the infection.

How do I remove the malicious files from my computer that are detected?

If you are certain that there are malicious files on your computer that are not being detected see the section Identifying malicious files and submitting samples above before running a full scan. If you are not certain or you have submitted samples and an update has been released, run a full system scan:

What should I do if files have been encrypted?

Your data cannot be recovered and unfortunately we cannot recover it for you in-house as it is not technically possible.

Once any malicious files have been removed the encrypted files should be replaced from a recent backup.

Note: It was possible to decrypt files encrypted with early versions of ransomware. However the latest versions use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key remains on a central server maintained by the crooks and hence is not available.

What should I do if I am locked out of my computer?

Note: If you have been locked out of your computer by a warning screen (see screenshots above) and you know all your personal files have not been encrypted (e.g., by checking in Safe Mode or remotely from another network computer) you have a WinLocker type of ransomware.

If you have access to only one computer (the infected computer) then you should try:

Logging on to the computer with another user account (to bypass the malware if it is only affecting your current user account).